Remediation Steps

Follow the steps below to remediate this finding on WordPress.

1. Always use $wpdb->prepare() for custom queries:

   $results = $wpdb->get_results(
   $wpdb->prepare('SELECT * FROM wp_posts WHERE ID = %d', $postId)
   );

2. Use the WordPress query API (WP_Query, get_posts()) instead of raw SQL where possible.

3. Never interpolate $_GET, $_POST, or $_COOKIE values directly into SQL strings.